CVE-2022-3180 – CVE-2022-3180 is an unauthenticated privilege e... (How to Fix)

Q: What is the severity of CVE-2022-3180?

CVE-2022-3180 has a CVSS score of 9.8 (CRITICAL). CVE-2022-3180 is an unauthenticated privilege escalation vulnerability in the WPGateway WordPress plugin that allows attackers to create administrator accounts without any authentication. This affects all WordPress sites running WPGateway plugin versions 3.5 and earlier. Attackers can gain full control of vulnerable WordPress installations.

📋 TL;DR

CVE-2022-3180 is an unauthenticated privilege escalation vulnerability in the WPGateway WordPress plugin that allows attackers to create administrator accounts without any authentication. This affects all WordPress sites running WPGateway plugin versions 3.5 and earlier. Attackers can gain full control of vulnerable WordPress installations.

💻 Affected Systems

Products:

WPGateway WordPress Plugin

Versions: All versions up to and including 3.5

Operating Systems: All operating systems running WordPress

Default Config Vulnerable: ⚠️ Yes

Notes: Any WordPress site with WPGateway plugin installed and activated is vulnerable regardless of configuration.

📦 What is this software?

Wpgateway by Wpgateway

View all CVEs affecting Wpgateway →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of WordPress site with attacker gaining administrative access, installing backdoors, defacing site, stealing data, and using the site for further attacks.

🟠

Likely Case

Attackers create hidden admin accounts, install malware or backdoors, and use the compromised site for phishing, spam distribution, or cryptocurrency mining.

🟢

If Mitigated

If detected early, impact limited to temporary site disruption during cleanup and potential data exposure from the compromise window.

🌐 Internet-Facing: HIGH - WordPress sites are typically internet-facing and this vulnerability requires no authentication, making all vulnerable installations immediately exploitable.

🏢 Internal Only: LOW - WordPress sites are rarely internal-only, but if they are, risk is limited to internal threat actors.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: CONFIRMED

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Actively exploited in the wild since September 2022 with public exploit code available. Attack requires only HTTP access to vulnerable WordPress site.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.6 and later

Vendor Advisory: https://plugins.trac.wordpress.org/changeset/2783222/wpgateway

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find WPGateway plugin. 4. Click 'Update Now' if update available. 5. If no update available, deactivate and delete plugin immediately.

🔧 Temporary Workarounds

Disable WPGateway Plugin

all

Deactivate the vulnerable plugin to prevent exploitation

wp plugin deactivate wpgateway

Remove Plugin Files

linux

Completely remove the plugin files from WordPress installation

rm -rf /path/to/wordpress/wp-content/plugins/wpgateway/

🧯 If You Can't Patch

Immediately deactivate and remove WPGateway plugin from all WordPress installations
Implement web application firewall rules to block requests to wpgateway.php endpoints

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin panel → Plugins → Installed Plugins for WPGateway version. If version is 3.5 or lower, site is vulnerable.

Check Version:

wp plugin list --name=wpgateway --field=version

Verify Fix Applied:

Verify WPGateway plugin is either updated to version 3.6+ or completely removed from wp-content/plugins directory.

📡 Detection & Monitoring

Log Indicators:

POST requests to /wp-content/plugins/wpgateway/wpgateway.php with admin creation parameters
Sudden creation of new administrator accounts
Unusual plugin activation/deactivation events

Network Indicators:

HTTP requests containing 'wpgateway.php' in URL path with POST data including 'action=create_admin' or similar parameters

SIEM Query:

source="web_logs" AND (url="*wpgateway.php*" AND (method="POST" OR params="*action=create_admin*"))

📊 Metadata

CVE ID: CVE-2022-3180

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-290

EPSS Score: 6.26% exploit probability (90.7th percentile)

Published: February 11, 2025

Last Updated: June 5, 2025

🔗 References

https://www.wordfence.com/blog/2022/09/psa-zero-day-vulnerability-in-wpgateway-actively-exploited-in-the-wild/ Third Party Advisory
https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/wpgateway/wpgateway-35-unauthenticated-privilege-escalation Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-3180, you might also want to check these: